By Bob Gourley
Cognitio co-founder and CEO Roger Hockenberry was featured in a special BizTechReports piece which focused on Cognitio’s capabilities in cyber threat reduction.
The following is an excerpt:
When it comes to cybersecurity, what you don’t know about the nature and sophistication of threats can hurt your organization badly. In the aftermath of high-profile data breaches at Sony, Target and Home Depot, chief information officers (CIOs), chief information security officers (CISOs) and other IT security professionals both in government and the private sector are playing from behind.
In today’s rapidly evolving threat environment, commercial and government organizations must not only identify cyber threat vectors and determine their potential impact on critical infrastructure, they also must take their game to the next level – by thinking differently. Only by combining the latest advancements in security intelligence with global threat intelligence feeds and advanced security analytics can executives quickly detect and respond to increasingly sophisticated cyberattacks.
To give us a perspective on this question, we had the opportunity to speak with Roger Hockenberry, CEO and founding partner of Cognitio, a strategic consulting and engineering firm established and managed by a team of former senior technology executives from the U.S. Intelligence Community. Cognitio leverages an extraordinary track record of protecting some of the nation’s greatest secrets and delivering actionable intelligence to the nation’s top leaders in order to help companies across disparate industries to effectively manage technology, maximize technology investments and reduce overall institutional risk.
Mr. Hockenberry is a proven technologist and business executive with over 20 years of experience working with all aspects of IT to assist enterprises in better utilizing technology to create, deploy and operate unique and innovative solutions and provide mission and competitive advantage. He is the former Chief Technology Officer for the National Clandestine Service of the Central Intelligence Agency, where he helped shape mission capabilities across a broad spectrum of activities. In this Q&A, Mr. Hockenberry shared valuable insights about the changing threat environment and how the company’s motto, “How We Think”, translates into Cognitio’s value proposition:
BTR: Thank you Roger, please tell me a little about what Cognitio is and what your mission is?
RH: Cognitio is a company that represents a merger of three other companies. There’s basically four partners: the first one is Bob Gourley, who was the former CTO of the Defense Intelligence Agency. He left government about five years ago and started doing consulting on his own through a company called Crucial Point. He also started to publish CTO Vision, and a couple of other properties and grow those. He had reached a point where he was being overworked with the amount of things he was doing. The other partner, Bob Flores, used to be the CTO at the Central Intelligence Agency and he left about the same time – five years ago and had his own company, Applicology, which was doing advisory work to help clients enter the federal marketplace. The other company was Green Badge, which was run by David Highnote, who had a very long background in marketing and advertising and consulting as well. All three were really good, viable companies. I left the Central Intelligence Agency back in January.
RH: On the commercial side, we offer the Cyber 360, which looks at an enterprise across a wide continuum. A lot of companies come in and they do very point specific types of assessments. They may only patch a server or only look at whether you are updating your signatures. They miss a wide array of other issues that are important from a leadership perspective, such as cyber intelligence and the business process around cyber risk remediation.
They don’t tend to focus on understanding how breaches like the Sony breach or the Target breach actually apply to them specifically and they do very little R&D — even around the cyber threat and knowing how that feeds into making the enterprise more secure. Our goal is always to help a company understand that risk. We have to ask: “Am I running my business appropriately and do I have the right governance and processes in place to help remediate risk?
Because it’s not question of eliminating risk, it is understanding and managing risk. What we see is many companies don’t understand why nation states or hacktivists would be targeting them. So we focus on educating our clients to understand that they must operate as almost a mini-intelligence agency themselves and collect and analyze information that affects how they operate — because in many cases they are targets.
BTR: Typically, the Chief Information Security Officer (CISO) has been a bit of a bolt-on activity, right – or the risk manager –not typically brought in on the front of the project. Are you trying to forge those relationships?
RH: Part of our Cyber 360 is we look at the CISO, the security officer function. Most of them typically report to the wrong person or they have high turnover rate. Because cyber is now a burgeoning market, there’s a lot of turnover among good security people. So part of our goal is to help an enterprise establish foundational security tenets – basically guidelines and principles – that can help them weather turnover in the security cadre. The CISO himself, I think, is under a lot of pressure because on the commercial side the goal still is to reduce costs of IT expenditure year-over-year annually. It is difficult to understand the return on security investments. So if I spend a half a million dollars – or $5 million – on deep packet inspection, that doesn’t necessarily make your company any safer. But it’s hard to create metrics. After all if you haven’t had a breach, does that mean you’re 100% secure? The answer is clearly no. So for us, we work with them on a set of metrics they can look at to establish year-over-year health. We also are making sure that they understand that landscape.
BTR: Is that like an index, an algorithm of different end points that – you’ve got an overall score of B…?
RH: Actually it is a benchmark – 24 elements divided into four categories – a basic e-map that we’ve based on some metrics we create so we can show comparison values. Generally I don’t like showing people how they compare to peers because then we’re all just in the same mediocre boat together. The goal is to get them to see their own enterprise and see where they spend their money. If you go into some enterprises, they will spend an inordinate amount of money on identity management or a PKI certificate or data loss protection. But they may overlook things like aggressive patch management, vendor management. Nowadays, people outsource everything and they don’t typically update their outsource agreements. They have no way of remediating risk of attacks that originate – as some did this year – from partner networks.
For more see Lane Cooper’s: Managing Cyber Threats with Roger Hockenberry, CEO and founding Partner of Cognitio in BizTechReports